bijukunjummen/gcp-to-aws-s3-list.py

## gcp-to-aws-s3-list.py
import boto3
import google.auth
import google.auth.transport.requests
import requests
import google.oauth2.id_token

auth_req = google.auth.transport.requests.Request()

# Get GCP Id Token, with an audience of 'gcp-aws-access'
credentials = google.oauth2.id_token.fetch_id_token_credentials('gcp-aws-access', request=auth_req)
credentials.refresh(auth_req)
id_token = credentials.token

# Use STS AWS Service to assume an AWS role, with appropriate permissions attached to it..
client = boto3.client("sts")

# Replace role-id with the right role-arn on the AWS side..
response = client.assume_role_with_web_identity(
    RoleArn='arn:aws:iam::role-id:role/google-cloud-sa-access',
    RoleSessionName='gcp-access',
    WebIdentityToken=id_token
)

# Make the AWS client calls using the credentials..
accessKey = response["Credentials"]["AccessKeyId"]
secretKey = response["Credentials"]["SecretAccessKey"]
sessionToken = response["Credentials"]["SessionToken"]
awssession = boto3.Session(
        aws_access_key_id = accessKey,
        aws_secret_access_key = secretKey,
        aws_session_token = sessionToken
)
s3 = awssession.client("s3")
print(s3.list_buckets())

## scripts.sh
# GCP Side
service_account=...
gcloud iam service-accounts describe $service_account

# grab the uniqueId from above, this will be the subject of the id token

# AWS Side
subject=<uniqueId from above>
cat <<EOF > sample-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "accounts.google.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "accounts.google.com:sub": "$subject"
        }
      }
    }
  ]
}
EOF

aws iam create-role \
    --role-name google-cloud-sa-access \
    --assume-role-policy-document file://assume-role-policy.json


# Then give the role the right permissions
	import boto3
	import google.auth
	import google.auth.transport.requests
	import requests
	import google.oauth2.id_token

	auth_req = google.auth.transport.requests.Request()

	# Get GCP Id Token, with an audience of 'gcp-aws-access'
	credentials = google.oauth2.id_token.fetch_id_token_credentials('gcp-aws-access', request=auth_req)
	credentials.refresh(auth_req)
	id_token = credentials.token

	# Use STS AWS Service to assume an AWS role, with appropriate permissions attached to it..
	client = boto3.client("sts")

	# Replace role-id with the right role-arn on the AWS side..
	response = client.assume_role_with_web_identity(
	RoleArn='arn:aws:iam::role-id:role/google-cloud-sa-access',
	RoleSessionName='gcp-access',
	WebIdentityToken=id_token
	)

	# Make the AWS client calls using the credentials..
	accessKey = response["Credentials"]["AccessKeyId"]
	secretKey = response["Credentials"]["SecretAccessKey"]
	sessionToken = response["Credentials"]["SessionToken"]
	awssession = boto3.Session(
	aws_access_key_id = accessKey,
	aws_secret_access_key = secretKey,
	aws_session_token = sessionToken
	)
	s3 = awssession.client("s3")
	print(s3.list_buckets())
	# GCP Side
	service_account=...
	gcloud iam service-accounts describe $service_account

	# grab the uniqueId from above, this will be the subject of the id token

	# AWS Side
	subject=<uniqueId from above>
	cat <<EOF > sample-policy.json
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"Federated": "accounts.google.com"
	},
	"Action": "sts:AssumeRoleWithWebIdentity",
	"Condition": {
	"StringEquals": {
	"accounts.google.com:sub": "$subject"
	}
	}
	}
	]
	}
	EOF

	aws iam create-role \
	--role-name google-cloud-sa-access \
	--assume-role-policy-document file://assume-role-policy.json


	# Then give the role the right permissions